feat(hermes): add tirith security settings

2026-05-29 20:30:00 +08:00 · 2026-05-24 22:08:12 +08:00
parent 7be0ec66cc
commit b2146b54cb
8 changed files with 456 additions and 3 deletions
--- a/tests/hermes-config-page-ui.test.js
+++ b/tests/hermes-config-page-ui.test.js
@@ -67,6 +67,18 @@ test('Hermes 配置页会暴露未授权 DM 全局策略字段', () => {
  }
 })

+test('Hermes 配置页会暴露 Tirith 安全扫描结构化配置字段', () => {
+  for (const id of [
+    'hm-security-save',
+    'hm-security-tirith-enabled',
+    'hm-security-tirith-path',
+    'hm-security-tirith-timeout',
+    'hm-security-tirith-fail-open',
+  ]) {
+    assert.match(source, new RegExp(`id="${id}"`), `缺少 ${id}`)
+  }
+})
+
 test('Hermes 配置页会暴露网关流式结构化配置字段', () => {
  for (const id of [
    'hm-streaming-save',
@@ -128,6 +140,7 @@ test('Hermes 配置页新增结构化配置不会暴露翻译 key', () => {
    key.includes('SkillsConfig') ||
    key.includes('QuickCommandsConfig') ||
    key.includes('UnauthorizedDmConfig') ||
+    key.includes('SecurityConfig') ||
    key.includes('StreamingConfig') ||
    key.includes('ExecutionLimits') ||
    key.includes('TerminalConfig')
--- a/tests/hermes-security-config.test.js
+++ b/tests/hermes-security-config.test.js
@@ -0,0 +1,72 @@
+import test from 'node:test'
+import assert from 'node:assert/strict'
+
+import {
+  buildHermesSecurityConfigValues,
+  mergeHermesSecurityConfig,
+} from '../scripts/dev-api.js'
+
+test('Hermes 安全扫描配置读取会提供 Tirith 默认值', () => {
+  const values = buildHermesSecurityConfigValues({})
+
+  assert.deepEqual(values, {
+    tirithEnabled: true,
+    tirithPath: 'tirith',
+    tirithTimeout: 5,
+    tirithFailOpen: true,
+  })
+})
+
+test('Hermes 安全扫描配置读取会规范化已有值', () => {
+  const values = buildHermesSecurityConfigValues({
+    security: {
+      tirith_enabled: false,
+      tirith_path: 'C:/tools/tirith.exe',
+      tirith_timeout: 12,
+      tirith_fail_open: false,
+    },
+  })
+
+  assert.equal(values.tirithEnabled, false)
+  assert.equal(values.tirithPath, 'C:/tools/tirith.exe')
+  assert.equal(values.tirithTimeout, 12)
+  assert.equal(values.tirithFailOpen, false)
+})
+
+test('Hermes 安全扫描配置保存会保留未知字段并写入 security.tirith', () => {
+  const next = mergeHermesSecurityConfig({
+    model: { provider: 'anthropic' },
+    security: {
+      allow_private_urls: false,
+      website_blocklist: { enabled: true, domains: ['example.com'] },
+      custom_flag: 'keep-security',
+    },
+    terminal: { backend: 'docker' },
+  }, {
+    tirithEnabled: false,
+    tirithPath: '~/bin/tirith',
+    tirithTimeout: '9',
+    tirithFailOpen: false,
+  })
+
+  assert.deepEqual(next.model, { provider: 'anthropic' })
+  assert.deepEqual(next.terminal, { backend: 'docker' })
+  assert.equal(next.security.allow_private_urls, false)
+  assert.deepEqual(next.security.website_blocklist, { enabled: true, domains: ['example.com'] })
+  assert.equal(next.security.custom_flag, 'keep-security')
+  assert.equal(next.security.tirith_enabled, false)
+  assert.equal(next.security.tirith_path, '~/bin/tirith')
+  assert.equal(next.security.tirith_timeout, 9)
+  assert.equal(next.security.tirith_fail_open, false)
+})
+
+test('Hermes 安全扫描配置保存会拒绝非法超时和空路径', () => {
+  assert.throws(
+    () => mergeHermesSecurityConfig({}, { tirithTimeout: '0' }),
+    /security\.tirith_timeout/,
+  )
+  assert.throws(
+    () => mergeHermesSecurityConfig({}, { tirithPath: '' }),
+    /security\.tirith_path/,
+  )
+})